Great news: Healthcare.gov still has “critical risk” security flaws

Ed MorrisseyPosted at 10:41 am on November 19, 2013

The news that the ObamaCare web portal had serious security gaps started emerging over the summer, as a number of state Attorneys General picked up on an Inspector General report criticizing a lack of security testing for Healthcare.gov. After its launch on October 1, the security flaws became an acute issue as the White House continued to insist that the site was safe, but pledged to correct any issues along with the operational failures that immediately erupted. An expert will testify today that the security issues haven’t even been significantly addressed after seven weeks, and that any user entering personal data faces a “critical risk” of data theft:

A respected security expert will warn Congress on Tuesday that the Obama administration’s healthcare website has security flaws that put user data at a “critical risk,” despite recent government assurances the data is safe.

“There are actual live vulnerabilities on the site now,” David Kennedy, head of computer security consulting firm TrustedSec LLC, told Reuters ahead of his testimony at a Congressional hearing on the topic “Is My Data on HealthCare.gov Secure?”

Kennedy, a former U.S. Marine Corps cyber-intelligence analyst, said his firm has prepared a 17-page report describing some of the problems. It does not go into specifics in some areas, he said, because that could provide criminals with a blueprint for launching attacks.

At the same time, the Obama administration insisted that the Healthcare.gov portal was safe to use. On October 30th, HHS spokesperson Joanne Peters claimed that everything was fine:

Yet HHS spokeswoman Joanne Peters said that during the interim the public need not worry about the security of data entered on the site, which helps them identify and enroll inhealth insurance plans.

“When consumers fill out their online Marketplace applications, they can trust that the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure,” she said.

This looks like yet another lie from the administration, and one that might cost those who trusted it dearly.